Trust Center

Overview

Faro maintains a best-in-class information security and compliance program to ensure continuous compliance with all customer requirements and applicable laws. Leveraging a compliance management system, Faro tracks security, privacy, and regulatory controls to ensure that the expected level of customer trust is met or exceeded. This page focuses on the high-level capabilities and structure of how Faro approaches information security and compliance.

Security, Privacy and Compliance

Standards and best practices

The list below states the compliance, regulatory, and best practices that Faro’s Information Security and Compliance program actively tracks against to ensure that customers can maintain their compliance when using Faro solutions.

Service Organization Control 2 (SOC 2) Type II
ISO 9001:2015 – Quality Management Systems
ISO 27001:2022 – Information Security Management Systems

Faro has designed internal process leveraging the following best practices within its security program:

NIST SP 800-18 – Developing Security Plans for Federal Information Systems
NIST SP 800-34 – Contingency Planning Guide
NIST SP 800-37 – Risk Management Framework
NIST SP 800-39 – Managing Information Security Risk
NIST SP 800-43 – Guide to Enterprise Patch Management
NIST SP 800-53 r5.1 – Security and Privacy Controls for Information Systems and Organizations
NIST SP 800-61 – Incident Management
NIST SP 800-84 – Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities
NIST SP 800-137 – Continuous Monitoring
ISO 27002:2022 – Information Security Controls

AI Governance
The list below states the compliance, regulatory, and best practices that Faro’s AI Governance program actively tracks against to ensure that the level of trust maintained in its product meets customer expectations.

ISO 42001:2023 - Information Technology - Artificial Intelligence - Management System
ISO 23894:2023 - Information Technology - Artificial Intelligence - Guidance on Risk Management
NIST SP 600-1 - AI Risk Management Framework
European Union Artificial Intelligence Act (EU AI Act)
OWASP Top 10 for Large Language Model Applications

Certifications

Faro partners with third party auditors to perform a SOC 2 Type II audit annually with a focus on the security, confidentiality, and availability of Faro products and their underlying infrastructure. Faro has also achieved an ISO 27001:2022 certification validating Faro’s information security management system follows best practices and international standards for information security.

Personnel Security

Faro ensures that it only hires qualified applicants by performing comprehensive background checks. On an annual basis, all employees receive security, privacy, and regulatory training commensurate with their role at Faro to ensure the appropriate handling of all data and the facilitation of secure process and data handling. All Faro personnel must agree to Faro policies before gaining access to sensitive data including policies that cover non-disclosure, confidentiality, security, and acceptable use.

Quality Management System

Faro maintains a Quality Management System (QMS) based on ISO 9001:2015 standards for all product development to ensure that products meet the level of quality expected from customers and any non-conformance is remediated in a timely fashion.

Data Privacy

The only personally identifiable information (PII) present on Faro products is the minimum necessary to provide access to platform users. Faro’s privacy program aligns to GDPR requirements for data subject rights and any requests related to GDPR can be related to the customer point of contact.

Protecting Data

Data Tenancy and Separation of Customer Data

Faro ensures that each customer’s data is secure and segmented from other customers. For any customer in Faro’s multi-tenant environments, customer data is logically separated at the database/datastore level.

Data Durability

At Faro we ensure that all customer data is protected in case the unexpected happens. All customer data is stored within Faro’s cloud provider on a storage infrastructure that is designed to provide a high level of durability ensuring that any data created on the Faro Study Designer platform is protected.

Backups

Faro performs automatic backups of all customer data to protect against loss due to unforeseen events. Data is backed up to multiple redundant datacenters and backups are monitored by the Faro Global Operations Center to ensure a continuous level of data protection.

Encryption

Faro leverages industry standard encryption for all communications and customer data including data at rest, and in motion. For data at rest, Faro leverages FIPS 140-2 compliant AES256-CBC encryption or greater. For all data in motion, Faro leverages TLS 1.2 or greater protocols.

Product Security

Vulnerability Management

Faro maintains an active vulnerability management program for reviewing vulnerabilities in developed code, third party software, and Faro’s product infrastructure. While Faro does not have a bug bounty program in place, external parties can notify security@farohealth.com for any externally discovered vulnerabilities. Invasive testing of Faro systems is not permitted without explicit written approval.

Application Security

Faro leverages industry standard technologies to protect its product infrastructures to protect against external threats such as SQL Injection, cross-site-scripting, man-in-the-middle and others including all attacks identified by the OWASP Top 10. All dependencies within Faro’s supply chain are monitored to ensure the foundation of all Faro products is a secure one.

Incident Response

Faro’s Global Operations Center actively monitors Faro’s infrastructure from both an operational and security perspective to ensure the confidentiality, integrity, and availability of Faro products and any customer data stored within. All platform traffic and authentication is actively monitored leveraging automation coupled with a strongly documented process to ensure that any malicious activity is detected and responded to in a timely manner.

Third Party Software Reviews

All software used within Faro platforms is reviewed at least annually to ensure it aligns with the security, privacy, and regulatory requirements expected from Faro customers. Any subprocessors leveraged by Faro products go through a stringent review process which includes customer notification.

Disaster Recovery and Business Continuity

In order to support its recovery time and recovery point objectives on its products, Faro maintains a Disaster Recovery and Business Continuity Plan (DR/BCP) for which it performs testing and training on at least an annual basis. Any deviations discovered in testing are documented and used to continuously improve the process.

Third Party Security Testing

Faro ensures that we validate the effectiveness of its security program by engaging a third party to test the security of Faro products on at least an annual basis and ingesting any findings into Faro’s vulnerability management program.

Access Controls

Authentication

Faro leverages industry standard authentication modules for customer authentication and single-sign-on allowing customers to manage platform users through their own authentication system as well as require multi-factor authentication.

Least Access Privilege

Faro personnel that support the product infrastructure do not have default access to customer data and must initiate a “break the glass” procedure in order to gain access which requires approval and a level of review after the process. All Faro access to product infrastructure is designed using the zero trust model and only grants the least required amount of access at any given time.

Auditing

Access to the Faro platform is continuously audited and monitored for any abnormal activity. Audit logs are immutable which ensures that there is a holistic audit trail of access to the platform and its underlying infrastructure.